[Bro-Dev] timer delays between different events for same connection

Aashish Sharma asharma at lbl.gov
Fri Apr 13 07:07:01 PDT 2018

Ah! it is obvious now! 

Yep that was it. Its a relatively slow scan and I only extracted all activity
for this specific source IP out of timemachine. 

I didn't see this behavior in other test cases because there I pull scanners
based on ports so somewhat of more 'fluid' traffic. 


On Fri, Apr 13, 2018 at 07:46:33AM -0400, Seth Hall wrote:
> On 13 Apr 2018, at 0:30, Aashish Sharma wrote:
> > So I am seeing some weird stuff in my sample pcap of scanners. May be
> > too
> > obvious and I am just not seeing why/how of it.
> It's a straight forward answer but not completely obvious. :)
> > Q. Why would connection_attempt event kick in after 36 minutes and 6
> > seconds ? (
> > 06:13:48 - 05:37:42 ) ?
> I bet that you have a jump in timestamps in your pcap.  Since Bro's internal
> clock is driven forward by seeing timestamps associated with packets it's
> possible that your pcap has a 36 minute jump in timestamps so Bro couldn't
> have possibly expired anything in the time before that because from its
> perspective there was an immediate jump in time.  You don't normally
> experience the effects of this behavior in traffic you're sniffing live
> because you will tend to have many packets every second so you see Bro's
> clock driven forward in very tiny increments as you would expect.  If you go
> a long time without receiving a packet is when stuff gets tricky.
>   .Seth
> --
> Seth Hall * Corelight, Inc * www.corelight.com

More information about the bro-dev mailing list